To learn more, in the lab and in the real world, a team of researchers from the Technical University Berlin, Ulm University and University of Michigan, led by TU Berlin Ph.D. candidate Lydia Kraus, developed EmojiAuth, an emoji-based login system for Android smartphones. How well would users remember their emoji passcodes? Could they be more secure, too? And might they be more fun, adding a bit of enjoyment every time a user unlocked her phone?

In our initial experiment, we gave 53 participants an Android phone and divided them into two groups. The first group of 27 people selected a passcode made up of any of 12 emojis on an emoji keyboard individually generated for each user from the library of all possible emoji icons. (Once set, each user’s emoji keyboard stayed the same.) The remaining 26 people picked a numeric PIN.

People most frequently used one of three methods to choose an emoji sequence: based on a pattern on the emoji keyboard (such as down one side or emojis in the corners), personal preferences for particular emojis and constructing stories with the emojis. For example, one participant had a song in mind and chose emojis that corresponded to the words of the song. After practicing entering their new passwords several times, the subjects were asked to return a week later to reenter their passwords into our test smartphone.

Our lab results showed both PINs and emoji passcodes were very memorable. Overall, PIN users remembered their passwords slightly more often, though that may be because many people are used to memorizing PINs. But the people who used emoji passcodes reported having more fun entering their codes.

Out in the field

Next, we wanted to explore how emoji passcodes held up in everyday use. On the Android phones of 41 participants, we installed a special login screen for their smartphones’ email app for about two weeks. About half of them used emoji passcodes; the others used PINs.

As we had found in the lab study, the users who used emoji passcodes picked emojis that made patterns on the keyboard, or that they personally like, or matched stories they made up.

Both groups of users, those using emojis and those using PINs, reported their passcode was easy to remember and use. But the emoji-using group’s passcodes were more fun to enter than just numbers.

Additional security

At the end of the field study, we tested the security of emoji passcodes. We asked participants to “shoulder surf,” peeking over the researcher’s shoulder while she entered a passcode.

We found that emoji passcodes consisting of six randomly selected emojis were hardest to steal over a user’s shoulder. Other types of passcodes, such as four or six emojis in a pattern, or four or six numeric digits, were easier to observe and recall correctly.

Our studies, which one of our team is presenting on May 30 in Rome, show that emoji-based mobile authentication is not only practical but also an enjoyable method of remembering and protecting passwords – so long as users don’t use emojis in a sequence that correspond to a pattern on the keyboard.

To learn more, in the lab and in the real world, a team of researchers from the Technical University Berlin, Ulm University and University of Michigan, led by TU Berlin Ph.D. candidate Lydia Kraus, developed EmojiAuth, an emoji-based login system for Android smartphones. How well would users remember their emoji passcodes? Could they be more secure, too? And might they be more fun, adding a bit of enjoyment every time a user unlocked her phone?

In our initial experiment, we gave 53 participants an Android phone and divided them into two groups. The first group of 27 people selected a passcode made up of any of 12 emojis on an emoji keyboard individually generated for each user from the library of all possible emoji icons. (Once set, each user’s emoji keyboard stayed the same.) The remaining 26 people picked a numeric PIN.

People most frequently used one of three methods to choose an emoji sequence: based on a pattern on the emoji keyboard (such as down one side or emojis in the corners), personal preferences for particular emojis and constructing stories with the emojis. For example, one participant had a song in mind and chose emojis that corresponded to the words of the song. After practicing entering their new passwords several times, the subjects were asked to return a week later to reenter their passwords into our test smartphone.

Our lab results showed both PINs and emoji passcodes were very memorable. Overall, PIN users remembered their passwords slightly more often, though that may be because many people are used to memorizing PINs. But the people who used emoji passcodes reported having more fun entering their codes.

Out in the field

Next, we wanted to explore how emoji passcodes held up in everyday use. On the Android phones of 41 participants, we installed a special login screen for their smartphones’ email app for about two weeks. About half of them used emoji passcodes; the others used PINs.

As we had found in the lab study, the users who used emoji passcodes picked emojis that made patterns on the keyboard, or that they personally like, or matched stories they made up.

Both groups of users, those using emojis and those using PINs, reported their passcode was easy to remember and use. But the emoji-using group’s passcodes were more fun to enter than just numbers.

Additional security

At the end of the field study, we tested the security of emoji passcodes. We asked participants to “shoulder surf,” peeking over the researcher’s shoulder while she entered a passcode.

We found that emoji passcodes consisting of six randomly selected emojis were hardest to steal over a user’s shoulder. Other types of passcodes, such as four or six emojis in a pattern, or four or six numeric digits, were easier to observe and recall correctly.

Our studies, which one of our team is presenting on May 30 in Rome, show that emoji-based mobile authentication is not only practical but also an enjoyable method of remembering and protecting passwords – so long as users don’t use emojis in a sequence that correspond to a pattern on the keyboard.